Is anyone monitoring user permissions/access to SharePoint / Office365 sites...
Hello, We currently have a use case to examine the permissions/access associated with a users Office365 or SharePoint account. There are a ton of different O365 audit logs that are related to access...
View ArticleIs there any data transfer rates between search head and indexers?
Just wanted to know is there any bandwidth rate for splunk search head to retrieve the logs from Indexers for search-ability? If yes how one can find it?
View ArticleUsing timechart, is there a way to calculate mean/max/min, etc while...
I have a process that experiences about 8640 events per day, or what I would expect to be an average of 0.1 events per second. Multiple events could occur in the same second, but overall, there are...
View ArticleNeed help understanding why Splunk is showing "unknown" for usernames in my...
I will demonstrate by example to show what the problem is. Below is my search string index="*" host="*" sourcetype="*" user=* type=USER_LOGIN This shows me all users that have logged in during the last...
View ArticleCan I test SECCMD from command line using oneshot?
I am attempting to test a SEDCMD for event manipulation and it does not appear this is possible via oneshot? When I try to test SEDCMD in my props.conf it never appears to work. **props.conf** [testst]...
View ArticleSplunk REST API: Issue wtih flattening JSON-formatted results
So I call the Splunk REST API and collect results in JSON format and that is kind of okay. Then I would like to pass it to `splunk.Intersplunk.outputResults()` Intersplunk fails to flatten this kind of...
View ArticleFailed installation/upgrade of Splunk Enterprise on my 64-bit Windows 7...
Background: I had the 30-day trial of Splunk Enterprise 6.4.0 running on my 64-bit Windows 7 computer. On the login page, I noticed the version and remembered that the newest one was 6.6.2, and I...
View ArticlePost processing using transforming command
While using post process, I have set base search as "index=_test source="/logs/trans.log" component=core|fields activity". In my post process query, using below searchtimechart span=1h count(activity)...
View ArticleHow can I reduce the amount of data being saved to my index?
Hi guys! I have multiple Palo Alto Network Apps for Splunk devices sending their syslog data to my Splunk instance. I've tailored what I can on the Palo Alto side of the house but was wondering if...
View ArticleMissing logs from splunk?
Specifically the winEventlog:security have vanished from my search results for approximately two three months, but currently all the logs are being indexed and also are searchable and retention period...
View ArticleDB Connect Source
I setup Splunk DB Connect to pull in log files that are stored in a MS SQL database. The logs have a Source column that is being excluded from the search results, since Connect DB makes you set a...
View ArticleNetwork Monitoring between Enterprise Security Search Head and Indexers
Is it possible set up a monitoring of the data transfer rates between search head and indexer. We are especially interested in the amount of data transferred for the scheduled searches that Enterprise...
View ArticleI have question on SSH, i dont know how connect, anyone Can help me.
I am typing all command like splunk start, splunk help, nothing is working, i don't know what to do, every time command not found showing
View Articleshow difference of 2 accumulated values in line chart
Hi, I have created a chart to show the accumulated number of open and closed ticket: ![alt text][1] My code: sourcetype=snow:incident | dedup number | search dv_assignment_group=*israel*...
View ArticleXML Field extraction from Syslog messages
I am receiving XML formated messages via Logstash which are then forwarded to splunk over syslog. xmlkv allows for parsing of all of the fields during search but need all of the fields to always be...
View ArticleWhy are my logs sent to the default index?
Greetings all, I am new to Splunk and trying to know my way around it. I created a home lab environment with the following details: * 1 search head, 1 indexer, and 1 Heavy forwarder ( All Linux). * 1...
View Articlefix loss of text formatting in dashboard table field/column in simple xml
Hello I find difficult to proper display relatively large text fields in dashboard tables - simple xml New lines are lost when displayed in dashboard table column, while being correct in the raw event....
View Articleextract field data using regex for space delimited logs
Hi, my splunk logs are in the following format : "POST /v2/endpoint HTTP/1.0" 200 91 "http://example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)...
View ArticleData is deleted from cold db before reaching the retention period ?
The environment is standalone and installed splunk on D:drive. For particular index declared the db location in F:drive for hot and warm buckets and the cold db location is I:drive. The retention...
View ArticleCan I check that a transaction does not contain more than 1 arbitrary field?
I have a log that tracks fruit names over the course of a session (Ok, not really, but let's go with that). All valid session contain exactly 1 banana and 1 orange, and may also contain pineapple,...
View Article